Often when companies complete their Risk Assessment, they gaps in how they are operating which leaves PHI vulnerable. There aren’t policies and procedures in place to guide employees. Maybe there aren’t guidelines for handling PHI in a disaster, or disclosing information to family members of a patient, or restricting access to PHI from employees who don’t need it.
HIPAA Requires a Book of Evidence
A Book of Evidence is a collection of all the policies and procedures your company or practice has in place when it comes to PHI and patient rights. It is required by law for covered entities and business associates and will need to be provided to an audit team if an audit occurs.
Some policies and procedures you should have laid out are:
- Passwords and safeguards
- Disaster response
- Reporting complaints/concerns
- Handling PHI outside of the office location
Why Should I Care About Having Policies and Procedures in Place?
Besides the legal requirements, it makes sense for day to day operations to have all policies and procedures laid out. Having a Book of Evidence can be beneficial as a reference material, when training or evaluating employees, and as a guideline for acting in unusual situations.
When it comes to training employees, there are concrete steps laid out for them to take in situations they will, or might, encounter. While it may work for a while to have one person or two who know everything and can take charge, what happens when they retire or leave the business? Relying on employees to train each other using institutional knowledge leaves you open to the possibility that doing things the wrong way one day becomes, “Well that’s the way we’ve always done it.”
Most importantly, having policies and procedures in place sets expectations and holds everyone to a clear standard and can be used to reassure patients or clients that you take their privacy and HIPAA compliance seriously.
Overall, it may seem like a lot of work at first, but creating policies and procedures will save you a lot of stress and effort in the long run.